Thursday, July 7, 2011

Criminal Profiling in Digital Forensic

Criminal
profiling has been used by crime investigators for centuries. It
gained world wide attention after being used in England in Jack the
Ripper case. Diamon A. Muller (2000) describes criminal profiling as
a process “designed to generate information on a perpetrator of a
crime, usually a serial offender, through an analysis of the crime
scene left by the perpetrator” allowing law enforcement agencies to
better utilize limited resources. Criminal profiling has two distinct
approaches: inductive and deductive analysis (Rogers M. 2003). The
inductive approach relies on the statistical analysis of behaviour
patterns from previously convicted offenders while deductive focuses
on the case specific evidence. One of the examples of criminal
profiling methodologies is “diagnostic evaluation (DE), crime scene
analysis (CSA), and investigative psychology (IP)” (Diamon A.
Muller, 2000).There are
two contradicting points of view on criminal profiling; some claim it
is an art while others claim it is a science similar to criminology
and psychology. Moreover, as oppose to criminology or physiology,
human lives may be depended on accuracy of criminal profiling: “if
a profile of an offender is wrong or even slightly
inadequate police maybe misled allowing
the offender to escape
detection for a little while longer—and innocent people may be dead
as a result.”
(Diamon A. Muller, 2000). As a result, many law enforcement agencies
are still evaluating the adoption of criminal profiling.Since
digital forensic investigation is in essence crime investigation,
that has similar investigation phases (acquisition of evidence,
authentication, analysis and reporting/presentation), criminal
profiling can be used as well to predict offenders behaviour. Just
like in the traditional crime investigation, “digital” offenders
have motives, different skill levels and tools. Regardless on the
profiling methodology (inductive or deductive), the results of
criminal profiling can greatly aid digital forensic investigation.“The
network evidence acquisition process often results in a large amount
of data” (Laureate Online Education B.V. 2009) and the results of
criminal profiling can help the investigator conduct a more specific
keyword search, focus of specific area (i.e. allocated and
unallocated space) and geographical location (IP addresses).
Moreover, the profiling information can pinpoint supporting or
corroborating evidence such as IRC chat channels, FTP sites,
underground forums and newsgroups (Rogers, M 2003).Just like
traditional criminals, “digital” offenders have weaknesses that
could be used when interviewing/interrelating suspects or witnesses.
Although the interview process itself could be completely different
from what we traditionally understand as “interview” (i.e. IRC
chat rooms, forums, mailing lists, etc.), Rogers M. notes that
“individuals who engage in deviant computer behaviour share some
common personality traits, and given the proper encouragement, show a
willingness to discuss and brag about their exploits” (Rogers, M
2003).